chriskilding
commented
2 years ago Unlike most other languages, the httpc client in vanilla Erlang actually has an insecure default of not verifying certificates at all.
(This frequently causes confusion in new users of httpc, as seen in threads like this: https://groups.google.com/g/erlang-programming/c/67olWRw3Hr4)
To make httpc verify the cert used, you must pass the location of a cert bundle on disk like this:
application:start(inets).
application:start(crypto).
application:start(asn1).
application:start(public_key).
application:start(ssl).
httpc:request(get, {"https://example.com", []},
[{ssl, [{verify, verify_peer}, {cacertfile,"/path/to/cacertfile.crt"}]}], []).So there is clearly scope to add a native cert verification strategy here, the difficulty is perhaps that we're starting from an insecure default and going to something more restrictive.
Tracking support for native TLS certificate verification in Erlang.